- From: Mike West <mkwst@google.com>
- Date: Tue, 22 Jul 2014 12:48:59 +0200
- To: Jake Archibald <jaffathecake@gmail.com>
- Cc: Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jul 22, 2014 at 12:40 PM, Jake Archibald <jaffathecake@gmail.com> wrote: > Looks great to me. Hooray! > In https://w3c.github.io/webappsec/specs/mixedcontent/#category-blockable, I > don't think we need: > > * ServiceWorkers - we don't allow them on http pages & they can't be on > other origins > * Data - doesn't the CORS rule take care of this? (except WebSockets) Indeed. These are double-blocked! It's redundant, but I think dropping 'serviceworker', 'xmlhttprequest', and 'eventsource' from the "blockable" category would be more confusing than leaving them there, even though they will technically be blocked in a slightly different way than, say, 'script'. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 22 July 2014 10:49:47 UTC